Cybersecurity Future and Artificial Intelligence (AI)

As businesses struggle to combat increasingly sophisticated cybersecurity attacks, the severity of which is exacerbated by both the vanishing IT perimeters in today’s mobile and IoT era, coupled with an acute shortage of skilled security professionals, IT security teams need both a new approach and powerful new tools to protect data and other high-value assets. Increasingly, they are looking to artificial intelligence (AI) as a key weapon to win the battle against stealthy threats inside their IT infrastructures, according to a new global research study conducted by the Ponemon Institute on behalf of Aruba, a Hewlett Packard Enterprise company (NYSE:HPE).

The Ponemon Institute study, entitled “Closing the IT Security Gap with Automation & AI in the Era of IoT,” surveyed 4,000 security and IT professionals across the Americas, Europe and Asia to understand what makes security deficiencies so hard to fix, and what types of technologies and processes are needed to stay a step ahead of bad actors within the new threat landscape.

The research revealed that in the quest to protect data and other high-value assets, security systems incorporating machine learning and other AI-based technologies are essential for detecting and stopping attacks that target users and IoT devices. The majority of respondents agree that security products with AI functionality will help to:

  • Reduce false alerts (68 percent)

  • Increase their team’s effectiveness (63 percent)

  • Provide greater investigation efficiencies (60 percent)

  • Advance their ability to more quickly discover and respond to stealthy attacks that have evaded perimeter defense systems (56 percent)

Twenty-five percent of respondents said they currently use some form of an AI-based security solution, with another 26 percent stating they plan on deploying these types of products within the next 12 months.

Current Security Tools are not Enough

“Despite massive investments in cybersecurity programs, our research found most businesses are still unable to stop advanced, targeted attacks – with 45 percent believing they are not realizing the full value of their defense arsenal, which ranges from 10 to 75 security solutions,” said Larry Ponemon, chairman, Ponemon Institute. “The situation has become a ‘perfect storm,’ with nearly half of respondents saying it’s very difficult to protect complex and dynamically changing attack surfaces, especially given the current lack of security staff with the necessary skills and expertise to battle today’s persistent, sophisticated, highly trained, and well-financed attackers. Against this backdrop, AI-based security tools, which can automate tasks and free up IT personnel to manage other aspects of a security program, were viewed as critical for helping businesses keep up with increasing threat levels.”

IoT and Cloud Adds Significant Risk

Ponemon researchers found that the majority of IT security teams believe that a key gap in their company’s overall security strategy is their inability to identify attacks that use IoT devices as the point of entry. In fact, more than three-quarters of respondents believe their IoT devices are not secure, with 60 percent stating even simple IoT devices pose a threat. Two-thirds of respondents admitted they have little or no ability to protect their “things” from attacks. Continuous monitoring of network traffic, closed-loop detection and response systems, and detecting behavioral anomalies among peer groups of IoT devices, were cited as the most effective approaches to better protect their environments.

Even the ownership model for IoT security presents potential risk. When asked who inside their organization was responsible for IoT security, responses ranged from the CIO, CISO, CTO, and line-of-business leaders, with no majority consensus. Only 33 percent identified the CIO, with no other executive or functional group achieving response totals above 20 percent. Surprisingly, “No Function” was the third-highest answer (15 percent).

Survey results also highlighted the importance of visibility and the ability to define which resources that people and IoT devices can access, with 63 percent of respondents stating network access control is an important element of their company’s overall security strategy and critical for reducing the reach of inside exploits. Also cited as important was having detailed information about applications (71 percent), endpoints (69 percent), cloud (64 percent), and networks (63 percent), with more than half saying they currently deploy network access control solutions for enabling visibility and control across both wired and wireless networks.

Additionally, more than half of respondents said it’s hard to protect expanding and blurring IT perimeters resulting from requirements to concurrently support IoT, BYOD, mobile, and cloud initiatives (55%).

“Partnering with the Ponemon Institute helps us to improve customer experiences by better understanding security teams’ challenges, and then arming them with advanced solutions that enable quick identification and responses to an ever-changing threat landscape,” said Larry Lunetta, vice president of security solutions marketing for Aruba. “The insight gained from this study enables us to continually improve our ability to provide an enterprise wired and wireless network security framework with an integrated and more comprehensive approach for gaining back visibility and control.”

Apple Integrate Security Controls in iOS 12 Core

Apple Integrate Security Controls in iOS 12 Core

Apple's latest update for iOS incorporates ways to stop Safari snooping, data leaks, password reuse, and hacking.

In what has become one of the rituals of fall along with leaf peeping, tailgating, and apple picking, Apple recently introduced a new lineup of iThingies, complete with slick new iPhones and oversized Apple Watches. They all look really nice. But the most important release isn’t the (unironically named) iPhone XS or super-powerful MacBook Pro, it’s iOS 12.

The iPhone is the leader in the clubhouse as the most secure general-purpose computing device on the market. Apple’s control of both the hardware and software development process and ecosystem make the iPhone/iOS platform one of the harder targets there is for attackers at the moment. The company has been adding security features to both the hardware and software at a steady pace since the iPhone’s introduction, and iOS 12, which Apple released this week, brings several important new protections with it.

The features that will probably make the biggest immediate difference to most users are the addition of automatic strong passwords in Safari and security code AutoFill. Creating and remembering strong passwords is a pain so people often just fall back on something that’s easy to remember, which also means it’s probably easy for an attacker to guess. In iOS 12, Apple has added the capability for Safari to suggest strong, complex passwords automatically, something that has been available on the desktop version of the browser for a while. The second authentication change is a feature that will automatically fill in one-time passcodes sent via SMS. While SMS-based two-step verification isn’t the strongest option, it’s significantly better than a password alone, and Apple is making it much easier for people to use it by removing the need to copy and paste or remember those codes to enter them in apps.

Another major upgrade to the security of iOS is the inclusion of automatic software updates. Most desktop platforms have had automatic updates as an option for many years, but it’s taken a while for that feature to reach mobile devices. Until now, iPhone users needed to go into the App Store app and manually click on the Update option for each installed app. The same was true for iOS itself. In iOS 12, users have the option of setting iOS and all of the installed apps to update automatically, ensuring that the latest version is always installed. Even the minor releases of iOS come with security and bug fixes and are important for users to install, but many people aren’t even aware when new versions come out. Having automatic updates enabled takes the human part of that out of the equation.

There’s also a feature that’s less obvious but can be an important defense against some attacks. Apple has added a function called USB Restricted Mode that prevents any USB accessory from interacting with an iPhone if the device has been locked for more than an hour. The feature is buried in the Settings under the Touch ID & Passcode option and it can protect iPhones against attacks that use exploits delivered over the USB Lightning port.

On the privacy side of things, iOS 12 includes functionality in Safari that prevents third-party trackers on sites from following a user’s movements across the web without the user’s permission. It’s an important change, given how pervasive third-party tracking has become.

“Safari now prevents Share buttons and comment widgets on web pages from tracking you without your permission. Safari also prevents advertisers from collecting your device’s unique characteristics, so they can’t identify your device or retarget ads to you across the web,” Apple’s notes for iOS 12 say.

The iOS 12 update is available now. Get it.

FBI: Protecting Your Networks from Ransomware

Protecting Your Networks from Ransomware

Ransomware is the fastest growing malware threat, targeting users of all types—from the home user to the corporate network. On average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016. This is a 300-percent increase over the approximately 1,000 attacks per day seen in 2015. There are very effective prevention and response actions that can significantly mitigate the risk posed to your organization.

Ransomware targets home users, businesses, and government networks and can lead to temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organization’s reputation. 

 Ransomware may direct a user to click on a link to pay a ransom; however, the link may be malicious and could lead to additional malware infections. Some ransomware variants display intimidating messages, such as: 

 “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”

 “You only have 96 hours to submit the payment. If you do not send money within provided time, all your files will be permanently encrypted and no one will be able to recover them.”

 What is Ransomware”

Ransomware is a form of malware that targets your critical data and systems for the purpose of extortion. Ransomware is frequently

delivered through spearphishing emails. After the user has been locked out of the data or system, the cyber actor demands a ransom payment. After receiving payment, the cyber actor will purportedly provide an avenue to the victim to regain access to the system or data. Recent iterations target enterprise end users, making awareness and training a critical preventive measure.

             

Protecting Your Networks

Educate Your Personnel

Attackers often enter the organization by tricking a user to disclose a password or click on a virus-laden email attachment. Remind employees to never click unsolicited links or open unsolicited attachments in emails. To improve workforce awareness, the internal security team may test the training of an organization’s workforce with simulated phishing emails. For additional information on Avoiding Social Engineering and Phishing Attacks.

 Ransomware Proactive Prevention is the Best Defense

Prevention is the most effective defense against ransomware and it is critical to take precautions for protection. Infections can be devastating to an individual or organization, and recovery may be a difficult process requiring the services of a reputable data recovery specialist.

The U.S. Government (USG) recommends that users and administrators take the following preventive measures to protect their computer networks from falling victim to a ransomware infection:

Ransomware Preventive Measures

• Implement an awareness and training program. Because end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered.

• Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.

• Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.

• Configure firewalls to block access to known malicious IP addresses.

• Patch operating systems, software, and firmware on devices. Consider using a centralized patch management system.

• Set anti-virus and anti-malware programs to conduct regular scans automatically.

• Manage the use of privileged accounts based on the principle of least privilege: no users should be assigned administrative access unless absolutely needed; and those with a need for administrator accounts should only use them when necessary.

• Configure access controls—including file, directory, and network share permissions— with least privilege in mind. If a user only needs to read specific files, the user should not have write access to those files, directories, or shares.

• Disable macro scripts from office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full office suite applications.

• Implement Software Restriction Policies (SRP) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs, including the AppData/LocalAppData folder.

• Consider disabling Remote Desktop protocol (RDP) if it is not being used.

• Use application whitelisting, which only allows systems to execute programs known and permitted by security policy.

• Execute operating system environments or specific programs in a virtualized environment.

• Categorize data based on organizational value and implement physical and logical separation of networks and data for different organizational units. Business Continuity Considerations

• Back up data regularly. Verify the integrity of those backups and test the restoration process to ensure it is working.

• Conduct an annual penetration test and vulnerability assessment.

• Secure your backups. Ensure backups are not connected permanently to the computers and networks they are backing up. Examples are securing backups in the cloud or physically storing backups offline. Some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real time, also known as persistent synchronization. Backups are critical in ransomware recovery and response; if you are infected, a backup may be the best way to recover your critical data.

What to Do If Infected with Ransomware

Should preventive measures fail, the USG recommends that organizations consider taking the following steps upon an infection with ransomware:

• Isolate the infected computer immediately. Infected systems should be removed from the network as soon as possible to prevent ransomware from attacking network or share drives.

• Isolate or power-off affected devices that have not yet been completely corrupted. This may afford more time to clean and recover data, contain damage, and prevent worsening conditions.

• Immediately secure backup data or systems by taking them offline. Ensure backups are free of malware.

• Contact law enforcement immediately. We strongly encourage you to contact a local field office of the Federal Bureau of Investigation (FBI) or U.S. Secret Service immediately upon discovery to report a ransomware event and request assistance.

• If available, collect and secure partial portions of the ransomed data that might exist.

• If possible, change all online account passwords and network passwords after removing the system from the network. Furthermore, change all system passwords once the malware is removed from the system.

• Delete Registry values and files to stop the program from loading.

Implement your security incident response and business continuity plan. Ideally, organizations will ensure they have appropriate backups, so their response to an attack will simply be to restore the data from a known clean backup. Having a data backup can eliminate the need to pay a ransom to recover data.

There are serious risks to consider before paying the ransom. USG does not encourage paying a ransom to criminal actors. However, after systems have been compromised, whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees, and customers. Victims will want to evaluate the technical feasibility, timeliness, and cost of restarting systems from backup. Ransomware victims may also wish to consider the following factors:

• Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after paying a ransom.

• Some victims who paid the demand were targeted again by cyber actors.

• After paying the originally demanded ransom, some victims were asked to pay more to get the promised decryption key.

• Paying could inadvertently encourage this criminal business model.

How Law Enforcement Can Help

Any entity infected with ransomware should contact law enforcement immediately. Law enforcement may be able to use legal authorities and tools that are unavailable to most organizations. Law enforcement can enlist the assistance of international law enforcement partners to locate the stolen or encrypted data or identify the perpetrator. These tools and relationships can greatly increase the odds of successfully apprehending the criminal, thereby preventing future losses.

Federal law enforcement places a priority on conducting cyber investigations in a manner that causes minor disruption to a victim entity’s normal operations and seeks to work cooperatively and discreetly with that entity. Federal law enforcement uses investigative measures that avoid unnecessary downtime or displacement of a company’s employees. Federal law enforcement closely coordinates its activities with the affected organization to avoid unwarranted disclosure of information.

As an affected entity recovers from a cybersecurity incident, the entity should initiate measures to prevent similar incidents. Law enforcement agencies and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center can assist organizations in implementing countermeasures and provide information and best practices for avoiding similar incidents in the future. Additionally, the affected organization should conduct a post-incident review of their response to the incident and assess the strengths and weaknesses of its incident response plan.

Ransomware Variants

Ransomware is a growing criminal activity involving numerous variants. Since 2012 when police locker ransomware variants first emerged, ransomware variants have become more sophisticated and destructive. Some variants encrypt not just the files on the infected device, but also the contents of shared or networked drives, externally attached storage media devices, and cloud storage services that are mapped to infected computers. These variants are considered destructive because they encrypt users’ and organizations’ files, and render those files useless until a ransom is paid.

Recent federal investigations by the FBI reveal that ransomware authors continue to improve ransomware code by using anonymizing services like “Tor ” for end-to-end communication to infected systems and Bitcoin virtual currency to collect ransom payments. Currently, the top five ransomware variants targeting U.S. companies and individuals are CryptoWall, CTBLocker, TeslaCrypt, MSIL/Samas, and Locky. New ransomware variants are continually emerging.

CryptoWall

CryptoWall and its variants have been actively used to target U.S. victims since April 2014.

CryptoWall was the first ransomware variant that only accepted ransom payments in Bitcoin.

The ransom amounts associated with CryptoWall are typically between $200 and $10,000. Following the takedown of the CryptoLocker botnet, CryptoWall has become the most successful ransomware variant with victims all over the world. Between April 2014 and June 2015, IC3 received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million. CryptoWall is primarily spread via spam email but also infects victims through drive-by downloads and malvertising .

CTB-Locker

CTB-Locker emerged in June 2014 and is one of the first ransomware variants to use Tor for its C2 infrastructure. CTB-Locker uses Tor exclusively for its C2 servers and only connects to the C2 after encrypting victims’ files. Additionally, unlike other ransomware variants that utilize the Tor network for some communication, the Tor components are embedded in the CTBLocker malware, making it more efficient and harder to detect. CTB-Locker is spread through drive-by downloads and spam emails.

TeslaCrypt

TeslaCrypt emerged in February 2015, initially targeting the video game community by encrypting gaming files. These files were targeted in addition to the files typically targeted by ransomware (documents, images, and database files). Once the data was encrypted, TeslaCrypt attempted to delete all Shadow Volume Copies and system restore points to prevent file recovery. TeslaCrypt was distributed through the Angler, Sweet Orange, and Nuclear exploit kits.

MSIL or Samas (SAMSAM)

MSIL or Samas (SAMSAM) was used to compromise the networks of multiple U.S. victims, including 2016 attacks on healthcare facilities that were running outdated versions of the JBoss content management application. SAMSAM exploits vulnerable Java-based Web servers. SAMSAM uses open-source tools to identify and compile a list of hosts reporting to the victim’s active directory. The actors then use psexec.exe to distribute the malware to each host on the network and encrypt most of the files on the system. The actors charge varying amounts in Bitcoin to provide the decryption keys to the victim.

Locky

In early 2016, a destructive ransomware variant, Locky, was observed infecting computers belonging to businesses globally, including those in the United States, New Zealand, Australia, Germany and the United Kingdom. Locky propagates through spam emails that include malicious Microsoft Office documents or compressed attachments (e.g., .rar, .zip) that were previously associated with banking Trojans such as Dridex and Pony. The malicious attachments contain macros or JavaScript files to download the Locky files. Recently, this ransomware has also been distributed using the Nuclear Exploit Kit.

Links to Other Types of Malware

Systems infected with ransomware are also often infected with other malware. In the case of

CryptoLocker, a user typically was infected by opening a malicious attachment from an email.

This malicious attachment contained Upatre, a downloader, which infected the user with GameOver Zeus. GameOver Zeus was a variant of the Zeus Trojan used to steal banking information and other types of data. After a system became infected with GameOver Zeus, Upatre would also download CryptoLocker. Finally, CryptoLocker encrypted files on the infected system and demanded a ransom payment.

The disruption operation against the GameOver Zeus botnet also affected CryptoLocker, demonstrating the close ties between ransomware and other types of malware. In June 2014,

an international law enforcement operation successfully weakened the infrastructure of both

GameOverZeus and CryptoLocker.

Cyber security IT skills in-demand in US

There’s no doubt that demand for the technologically skilled will only increase in the upcoming years, as practically every company becomes a software-driven enterprise. A survey by the jobs site Monster found that in the US, jobs in the digital sector have multiplied at more than twice the rate of other non-digital tech sectors, and are predicted to grow by 20% in the next decade.

However, which skills will be particularly in demand? While it’s unlikely that the IT skills demanded by the jobs market today will become redundant within our lifetimes, the field is constantly evolving, and there are certainly growth areas on the horizon that IT professionals would do well to educate themselves in.

Cyber security

Cyber security is an area set to grow exponentially in importance in the upcoming years. Every time a breach is suffered by an organisation, there is a huge cost both in terms of financial loss and loss of reputation and brand value.

A recent study carried out by jobs site Indeed indicated that the US is dangerously short on cyber security skills and that the number of cyber security jobs advertised in the US is the third highest globally, meaning demand exceeded candidate interest by more than three times.

Development

Demand for skills in development is here to stay (for the time being anyway – this could change as soon as AI is more widely used to code). In 2017, the demand for software developers and engineers increased by 13% in the UK.

Devops

Another important area of growth is the trend for companies to take a devops approach to their IT departments, meaning that developers well versed in this outlook will be the most employable.

Cloud computing

It’s widely recognised that cloud computing is the future, and every IT professional should feel comfortable using these systems. Demand for cloud infrastructure specialists is increasing across the board.

Machine Learning and AI

These are two obvious areas of increasing growth. In the US, demand for AI jobs increased threefold between 2015 and 2018, even surpassing the UK in terms of demand.

HOW DOES RANSOMWARE WORK?

HOW DOES RANSOMWARE WORK?

  1. Ransomware infections occur when a user opens a malicious email attachment, clicks on a malicious link, or visits a website infected with malicious code, known as a drive-by download.

  2. Once a system is infected, the ransomware contacts a command and control (C2) server to generate an encryption key and begins encrypting files on the victim’s machine.

  3. The ransomware runs quietly in the background performing in-depth searches of all disk folders, including removable drives and network shares, and encrypts as many files as it can.

  • Ransomware may also delete Shadow Volume Copies, destroy restore points, and overwrite free disk space to prevent victims from recovering their files and systems without paying the ransom.

  • If a system is powered off as files are being encrypted, some ransomware variants resume where they left off when the system or device is powered on again.

After files are encrypted, a ransom note is displayed on the screen with instructions on how and where to pay the ransom and the length of time before the hacker or software destroys the decryption key.

  • Some recent variants offer victims a ‘second chance’ to pay after the initial timer expires; however, the ‘second chance’ is often at least double the original ransom amount.

  1. If the victim pays the ransom, the malware is supposed to contact the C2 server for the decryption key and begin decrypting the victim’s files; however, in many cases, the files are never decrypted.

  • Some ransomware files can delete themselves in order to avoid detection and analysis by security researchers or law enforcement.

CyberSecOP: Ransomware Remediation and Prevention Service

RANSOMWARE MITIGATION STRATEGIES

For many organizations, preventing ransomware entirely is nearly impossible, however, the impact of a successful infection can be greatly reduced if a robust data backup process is in place. Comprehensive data backups should be scheduled as often as possible and must be kept offline in a separate and secure location. The most effective method to prevent ransomware infections is to conduct regular training and awareness exercises with all employees to ensure users are proficient in safe Internet-browsing techniques and the ability to identify phishing emails. For specific recommendations for data protection, systems management, network management, mobile device management, and post-infection remediation.

5 steps for preventing ransomware

5 steps for preventing ransomware

Hardening Your Environment Against Ransomware

To avoid ransomware infection, follow these steps:

1.    Back up your computers and servers regularly.

Regularly back up the files on both the client computers and servers. Either back up the files when the computers are offline or use a system that networked computers and servers cannot write to. If you do not have dedicated backup software, you can also copy the important files to removable media. Then eject and unplug the removable media; do not leave the removable media plugged in.

2.    Lock down mapped network drives by securing them with a password and access control restrictions.

Use read-only access for files on network drives, unless it is absolutely necessary to have write access for these files. Restricting user permissions limits which files the threats can encrypt.

3.    Deploy and enable the following Endpoint Protection:

Implement and managed endpoint antivirus on all endpoint to prevent ransomware, most ransomware can be detected by popular antivirus.

4.    IPS/IDS

IPS blocks some threats that traditional virus definitions alone cannot stop. IPS is the best defense against drive-by downloads, which occurs when software is unintentionally downloaded from the Internet. Attackers often use exploit kits to deliver a web-based attack like CryptoLocker through a drive-by download.

See Enabling network intrusion prevention or browser intrusion prevention.

5.    Download the latest patches for web application frameworks, web browsers, and web browser plug-ins.

Attacking exploit kits cannot deliver drive-by downloads unless there is an old version of a plug-in to exploit, such as Flash. Historically, attacks were delivered through phishing and web browsers. Recently, more attacks are delivered through vulnerable web applications, such as JBOSS, WordPress, and Joomla.

6.    Use an email security product to handle email safely.

CryptoLocker is often spread through spam emails that contain malicious attachments. Scanning inbound emails for threats with a dedicated mail security product or service is critical to keep ransomware and other malware out of your organization. For important advice and recommendations, see:

How to remove ransomware

There is no ransomware removal tool or CryptoLocker removal tool. Instead, if your client computers do get infected with ransomware and your data is encrypted, follow these steps:

1.    Do not pay the ransom.

If you pay the ransom:

·         There is no guarantee that the attacker will supply a method to unlock your computer or decrypt your files.

·         The attacker uses the ransom money to fund additional attacks against other users.

2.    Isolate the infected computer before the ransomware can attack network drives to which it has access.

3.     Update the virus definitions and scan the client computers.

New definitions are likely to detect and remediate the ransomware. Configure Endpoint Protection to automatically downloads virus definitions to the client, as long as the client is managed and connected to the Symantec Endpoint Protection Manager.

4.    Restore damaged files from a known good backup.

No security Endpoint Protection cannot decrypt the files that ransom lockers have sabotaged.

  1. Submit the malware to antivirus provider.

If you can identify the malicious email or executable, submit it to antivirus provider.

 

Remediate Ransomware Attack - Ransomware Survival

 

Made famous by the WannaCry attack that crippled the NHS in 2017, ransomware is continuing to hit businesses.  According to security research firm Symantec, infections have steadily increased every year since 2013, reaching record levels in 2017.

Even over the last few months, ransomware has impacted multiple organizations, including the PGA of America, and the borough of Matanuska-Susitna in Alaska – where government workers were forced to use typewriters to carry out their daily tasks.

It is not surprising that governments are concerned about the impact of the malicious software, which locks a user’s device or data until they pay a ransom. In the UK, the National Cyber Security Centre (NCSC) has published advice on mitigating against ransomware. Meanwhile, the UK government’s behavioral change campaign for cybersecurity, Cyber Aware, promotes simple measures to stay more secure online.


RANSOMWARE REMEDIATION, RANSOMWARE PREVENTION, AND THREAT RESPONSE SERVICES


But according to security researchers, there has been a decline in ransomware compared to other threats including cryptomining. Yet the malicious software remains a very real risk: attacks are becoming fewer but more targeted. “The major difference between 2017 and 2018 appears to be a trend towards more targeted ransomware,” says Matt Shabat, strategy director at Glasswall Solutions. “Instead of seeking mass infections through relatively blunt means, threat actors are using more precise infection vectors to achieve initial compromise.”


Identifying ransomware

Ransomware comes in two types. The first encrypts the files on a computer or network; the second locks a user's screen. “Some ransomware will also act like a worm – as was the case with WannaCry – and once inside a network, will spread laterally to other machines without interaction by the attacker or the infected user,” says a NCSC spokesman.

Occasionally, malware is presented as ransomware, but after the ransom is paid the files are not decrypted. This is known as ‘wiper’ malware.

The ‘ransom’ is often demanded in a cryptocurrency such as Bitcoin as a prepaid card or gift voucher. In many cases the ransom amount is modest, a tactic designed to make paying the quickest and cheapest way to resume use.

Generally, if a firm is hit by ransomware, they will have no problem realising. Infected computers will be inaccessible because key files have been encrypted, with a ransom note displayed on-screen.

Most ransomware pops up a pay page, either in a text editor or on a browser, says Paul Ducklin, senior technologist at Sophos. “But a lot of it also changes your desktop wallpaper to a graphical image of the pay page.”

And sadly, the first sign of compromise may already be too late, especially if ransomware has spread network-wide and every desktop is hijacked, says Chris Boyd, malware analyst at Malwarebytes. “Much of it comes down to basic social engineering, and fake emails aimed at HR with dubious receipt attachments harboring an infection.”

Recognizing the warning signs: Ransomware and email phishing

Email still remains the top attack vector for all malicious activity, says Adenike Cosgrove, cybersecurity strategist, EMEA, Proofpoint. She says the easiest route for cyber criminals is to exploit the vulnerability of humans “through simple yet sophisticated social engineering tactics”. She explains: “Cybercriminals have found new ways to exploit the human factor — the instincts of curiosity and trust that lead well-intentioned people to play into the hands of the attacker. This could be in the form of a disguised URL or seemingly benign attachment, but all it takes is one click and the ransomware can take hold immediately.”

The majority of ransomware is spread via massive spam campaigns involving hundreds of thousands of emails sent daily, says Dick O'Brien, threat researcher at Symantec.

Ransomware may also be spread via websites compromised to host what’s known as an exploit kit. “This is a tool that scans the visitor’s computer to see if it’s running software with known vulnerabilities,” says O’Brien. “If it finds any, it will exploit one of these vulnerabilities to download and install ransomware on the victim’s computer.”

In a small number of cases, firms may be specifically targeted by groups who attempt to break into the company’s network and infect as many computers as possible before triggering the ransomware.

How to fight off ransomware

You’ve been hit. So, what do you do?

“A lot of ransomware is poorly coded, or master keys are leaked, and it's worth checking online to see if anyone has built a decryptor tool,” says Boyd. He says his firm Malwarebytes has released standalone versions for certain versions of Petya and Chimera, “and there's many more out there”.

Whatever you do, it is agreed that paying the ransom is a big mistake. Indeed, the National Crime Agency encourages industry and the public not to pay the ransom.

“We strongly advise not to pay the ransom, as it simply encourages the scammers to continue with their profitable business model,” agrees Boyd.

Jake Moore, cybersecurity specialist at ESET says he always advises against paying. “But I have seen CEOs with their heads in their hands asking me, ‘what else can we do?’ when they realise their resilience measures have also been attacked.”

Yet there is no guarantee that you will ever receive the data back and if you do, it might be damaged. “Funding cyber criminals also funds larger cyber-attacks, so it must be reiterated that paying won't always get make the issue go away,” says Moore.

Avoiding future attacks requires preparation such as incident response plans and educating employees.

organizations aren't training employees in security basics. “Perhaps they're not sending out emails warning about common scams, or maybe they aren't bothering with security tools known to prevent exploits and ransomware.”

Employees should be trained on how to spot attacks. This helps to avoid becoming a victim, and also means staff can raise the alarm straight away, says Rick Hemsley, managing director, Accenture Security. “Employees can become your strongest line of defense. Attackers will hit as many people in an organization as possible, and one click is all it takes. So, having a workforce of people ready to sound the alarm will help prevent that one click.”

Helen Davenport, director, Gowling WLG says it’s important to look for less obvious attacks. “Looking out for the less obvious attacks is highly advisable. If any hint of files being corrupted or encrypted is immediately addressed at the source, it will help to reduce the extent of an attack.”

It might seem obvious, but backup is integral. Even without other measures, firms would still be able to bring their files back with ease if they had a sensible backup process in place.

T-Mobile Hit With Security Breach 2 Millon Affected

On Aug. 20, hackers hit T-Mobile and, according to a statement from the company, gained access to personal information for some of its customers. While no financial data or Social Security numbers were exposed, information including names, billing ZIP codes, phone numbers, email addresses, account numbers, and account types was potentially compromised.

While the company has not released concrete numbers for the hack, it is estimated that approximately 2 million customers were affected.

The company, with approximately 77 million total users, has notified affected customers via text message and post the following message for it customers. 

T-Mobile Notice 

Dear Customer –

Out of an abundance of caution, we wanted to let you know about an incident that we recently handled that may have impacted some of your personal information.

On August 20, our cyber-security team discovered and shut down an unauthorized access to certain information, including yours, and we promptly reported it to authorities. None of your financial data (including credit card information) or social security numbers were involved, and no passwords were compromised. However, you should know that some of your personal information may have been exposed, which may have included one or more of the following: name, billing zip code, phone number, email address, account number and account type (prepaid or postpaid).

If you have questions about this incident or your account, please contact Customer Care at your convenience. If you are a T-Mobile customer, you can dial 611, use two-way messaging on MyT-Mobile.com, the T-Mobile App, or iMessage through Apple Business Chat. You can also request a call back or schedule a time for your Team of Experts to call you through both the T-Mobile App and MyT-Mobile.com. If you are a T-Mobile For Business or Metro PCS customer, just dial 611 from your mobile phone.

We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorized access. We truly regret that this incident occurred and are so sorry for any inconvenience this has caused you.

Prevent DDoS attacks across your enterprise

DDoS (Distributed Denial of Service) attacks feature amongst the most dreaded kinds of cyber attacks, for any enterprise today. This is especially because, as the name itself suggests, there it causes a total denial of service; it exhausts all resources of an enterprise network, application or service and consequently it becomes impossible to gain access to the network, application or the service.

In general, a DDoS attack is launched simultaneously from multiple hosts and it would suffice to host the resources, the network and the internet services of enterprises of any size. Many prominent organizations today encounter DDoS attacks on a daily basis. Today DDoS attacks are becoming more frequent and they are increasing in size, at the same time becoming more sophisticated. In this context, it becomes really important that enterprises look for DDoS attack prevention services, in fact the best DDoS attack prevention services, so as to ensure maximum protection for their network and data.

The different kinds of DDoS attacks

Though there are different kinds of DDoS attacks, broadly speaking there are three categories into which all the different kinds of DDoS attacks would fit.

The first category is the volumetric attacks, which include those attacks that aim at overwhelming network infrastructure with bandwidth-consuming traffic or by deploying resource-sapping requests. The next category, the TCP state-exhaustion attacks, refer to the attacks that help hackers abuse the stateful nature of the TCP protocol to exhaust resources in servers, load balancers and firewalls. The third category of DDoS attacks, the application layer attacks, are basically the ones targeting any one aspect of an application or service at Layer 7.

Of the above-mentioned three categories, volumetric attacks are the most common ones; at the same time there are DDoS attacks that combine all these three vectors and such attacks are becoming commonplace today.

DDoS attacks getting sophisticated, complex and easy-to-use

Cybercriminals today are getting cleverer and smarter. They tend to package complex, sophisticated DDoS attack tools into easy-to-use downloadable programs, thereby making it easy even for non-techies to carry out DDoS attacks against organizations.

What are the main drivers behind DDoS attacks? Well, there could be many, ranging from ideology or politics to vandalism and extortion. DDoS is increasingly becoming a weapon of choice for hacktivists as well as terrorists who seek to disrupt operations or resort to extortion. Gamers too use DDoS as a means to gain competitive advantage and win online games.

There are clever cybercriminals who use DDoS as part of their diversionary tactics, intending to distract organizations during APT campaigns that are planned and executed in order to steal data.

How to prevent DDoS attacks

The first thing that needs to be done, to prevent DDoS attacks from happening, is to secure internet-facing devices and services. This helps reduce the number of devices that can be recruited by hackers to participate in DDoS attacks.

Since cybercriminals abuse protocols like NTP, DNS, SSDP, Chargen, SNMP and DVMRP to generate DDoS traffic, it’s advisable that services that use any of these ought to be carefully configured and run on hardened, dedicated servers.

Do repeated tests for security issues and vulnerabilities. One good example is doing penetration tests for detecting web application vulnerabilities.

Ensure that your enterprise implements anti-spoofing filters as covered in IETF Best Common Practices documents BCP 38 and BCP 84. This is because hackers who plan DDoS attacks would generate traffic with spoofed source IP addresses.

Though there are no fool-proof techniques that can prevent DDoS attacks completely, you can ensure maximum protection by ensuring proper configuration of all machines and services. This would ensure that attackers don’t harness publicly available services to carry out DDoS attacks.

It’s to be remembered that it’s difficult to predict or avoid DDoS attacks and also that even an attacker with limited resources can bring down networks or websites. Hence, for any organization, it becomes important that the focus is always on maximum level protection for enterprise networks, devices, websites etc.

Maryland fails OIG security audit

A U.S. Department of Health and Human Services Office of Inspector General audit of Maryland’s Medicaid system found the state did not adequately secure its Medicaid Management Information System (MMIS) and Medicaid data, which potentially put patient data and operations at risk.

OIG performed a vulnerability assessment scan to determine if there were existing vulnerabilities on the MMIS network, devices, websites and database. And while OIG officials found the state adopted a security program for the system, there were “significant system vulnerabilities.”

“These vulnerabilities remained because Maryland did not implement sufficient controls over its MMIS data and information systems,” the report authors wrote.


 

While there’s no evidence of unauthorized access, officials found that if exploited, the system flaws would have allowed unauthorized access and exposed Medicaid data and “the disruption of critical Medicaid operations.”

 

Not only that, but officials said the vulnerabilities were significant enough that it could have compromised the integrity of the state’s Medicaid program. While details of the flaws weren’t publically disclosed, officials said they were caused by a lack of sufficient controls.

Officials made a series of recommendations to bolster the state’s security program and systems to meet federal requirements. State officials agreed with recommendations and outlined steps it had taken and their plans to shore up security.

Maryland is just the latest state to be audited by OIG, many with similar results. In fact, HHS itself had a less than stellar audit in Dec. 2017. The audits are intended to find flaws and improve security posture across government systems.

It should serve as a reminder for organizations to audit their own programs, as hackers are becoming more sophisticated and require just a small window to gain access to a network.

What is Botnet - Cybercriminals #1 Weapon

The word Botnet is formed from the words ‘robot’ and ‘network’. Cybercriminals use special Trojan viruses to breach the security of several users’ computers, take control of each computer and organise all of the infected machines into a network of ‘bots’ that the criminal can remotely manage.

 Botnet Prevention- What is Botnet   

Botnet Prevention- What is Botnet   

 

How Botnets can impact you
Often, the cybercriminal will seek to infect and control thousands, tens of thousands or even millions of computers – so that the cybercriminal can act as the master of a large ‘zombie network’ – or ‘bot-network’ – that is capable of delivering a Distributed Denial of Service (DDoS) attack, a large-scale spam campaign or other types of cyberattack.

In some cases, cybercriminals will establish a large network of zombie machines and then sell access to the zombie network to other criminals – either on a rental basis or as an outright sale. Spammers may rent or buy a network in order to operate a large-scale spam campaign.

How to prevent your computer becoming part of a Botnet
Installing effective anti-malware software will help to protect your computer against Trojans and other threats.

Botnet.gif

What advice does the world's first CISO have

What advice does the world's first CISO have for the current generation of CISOs? Stephen Katz emphasizes, first and foremost, that cybersecurity must be treated as a business risk management issue rather than a technology issue.

"Security has to evolve and grow at the same pace as the business," he stresses in an interview with Information Security Media Group.

The role of the CISO has to be recognized as a core business function, he adds. "Security has to be an enabler of the business; security has to earn a seat at the executive table. Too often, we give people the title of chief information security officer; they don't believe they're an executive, and executives don't believe they are an executive."

 

1489089073954.jpg

In this interview (see audio link below photo), Katz also discusses:

Changes in the threat landscape since becoming the world's first CISO;
Top priorities for CISOs in the coming year;
Why getting back to the basics of security remains so important;
The ongoing growth of machine learning models in all aspects of cybersecurity.
Katz is the founder and president of Security Risk Solutions LLC, an information security company providing consulting, mentoring, coaching and advisory services. He was formerly CISO at JPMorgan Chase, Citigroup and Merrill Lynch.